Command Line

Access to OpenStack using the command line utility

SAML2 ECP

Login via application credentials does not work for some services. As an alternative to application credentials, you can also log in to OpenStack using a username/password. The SAML2 ECP protocol is used in the background for this. In this case, the client logs in to the specified IDP via Basic-Auth and transmits the SAML assertion to Keystone. For this login method the following environment variables must be set:

export OS_AUTH_URL=https://keystone.public.os.wwu.de/v3
export OS_IDENTITY_API_VERSION=3
export OS_INTERFACE=public
export OS_AUTH_TYPE=v3samlpassword
export OS_IDENTITY_PROVIDER=dfnaai
export OS_PROTOCOL=saml2
export OS_IDENTITY_PROVIDER_URL=https://zividp.uni-muenster.de/idp/profile/SAML2/SOAP/ECP
export OS_USERNAME=
export OS_PASSWORD=
export OS_PROJECT_NAME=
export OS_PROJECT_DOMAIN_NAME=Default

Since this method of authentication is quite slow, you can create a token afterwards and use it for all further commands:

export OS_TOKEN=$(openstack token issue -c id -f value)
export OS_AUTH_TYPE=v3token

There is also an interactive authentication script which can be used to generate a token in the way described above:

OpenStack Authentication Script

As a prerequisite the Openstack CLI must be installed (due to a bug a fixed version must be used). Furthermore, the lxml package must also be installed.

pip install python-openstackclient==5.2.1 lxml

The mentioned script must be “sourced” into the session, because it sets environment variables:

source ./openstackauth.sh

After you have successfully authenticated and received a token, you should be able to run OpenStack CLI commands. Refer to the official documentation to get an idea what you can do.